Verifone PCI 3 End of Life Terminals

Did you know terminals have their own Payment Card Industry or PCI certification? The standards are part of the overall merchant requirements to maintain the security of cardholder data. Those rules change over time and a bunch of Verifone equipment is expiring, including the popular Vx520 countertop terminal and Vx820 pinpad.

Last August, Verifone issued end of life notification on their PCI 3 range of payment devices in compliance with the PCI Security Standards Council PCI 3 expiration date of April 30, 2020. Often merchants will get notifications like this from their acquirer on their merchant statement.

Which Verifone terminals are impacted?

  • Vx520
  • Vx805 – M280-703-0X-XXX-X
  • Vx820 pin pad
  • Vx675, Vx680, Vx685, Optimum M5
  • Mx915 (PN 132-XX…), Mx925 (PN 132-XX…)
  • H5000
  • This list may not include all devices. Merchants should check with their providers especially if using a non-EMV device or if you were an early EMV chip adopter.

What does End of Life mean?

  • Final date for new terminal sales (fall 2019)
  • End of Development- Improvements or changes have stopped
  • End of Support Date- Verifone will not issue software updates after April 2020, except that, until April 2023 they will continue to provide error corrections for Severity 1 (Critical) software errors, including security vulnerabilities.
  • End of Service Date- April 2023. Verifone will honor any extended support contracts to their term. Subject to component availability and other factors, Verifone will also continue to provide repair.

(PCI) PIN Transaction Security (PTS) v4 expires April 30, 2023. PCI PTS v5 expires April 30, 2026.

Are merchants PCI Compliant if they continue to use PCI 3 terminals after April 2020? The PCI Council urges but does not mandate merchants use approved PTS devices in their payment environments. However, in our experience, between payment brand and acquirer requirements, merchants generally need to use only approved PTS devices or risk getting shut down. Research expiration dates of terminals on the PCI Council web site. I’d be concerned about liability and the ability to prove PCI compliance, especially in the event of a data breach. Verifone will not issue software updates or provide development support after April 2020. If security vulnerabilities or exploits are identified by the processors after April 2020, and you’re using the terminals, who’s to say when or even if a solution could be found to fix it?

How disruptive would it be for your business to have to shut down using them and get another solution? There are always people who procrastinate making changes. And when something goes wrong, phone calls to processors explode, so change is usually not as swift as you’d like.

Note, only employees and PCI QIR certified individuals can install or touch your credit card terminals. Terminals are one of the most important factors determining rates you pay and chargeback risk. Why? Call now to learn more. This is the perfect time for an external account review by a payments expert.

TIP for Christine Speedy Verifone Mx915 customers: If you have a part number that starts with this “PN 132”, replace the terminal. If you were an early adopter and had your terminals deployed prior to the EMV chip liability shift in October 2015, there’s no need to check part numbers; They need to be replaced. Please contact me directly to consult on replacement options.

Call Christine Speedy , PCI QIR certified, for new PCI 5 terminals, technology review and or merchant account review to maximize profits and improve your customer experience. 954-942-0483, 9-5 ET

D365 Customer facing invoice portal D365 F&O

Looking for D635 F&O solution for clients to access online portal to view and pay invoices? One of the key solution differentiators is the integrated payment gateway for credit card processing. Easily overlooked, it’s most impactful on profits. Other than merchant discount, the payment gateway is the single largest influence on the cost of credit card acceptance and chargeback risk.

How can a payment gateway impact costs?

  1. Authorization management. There’s a slew of rules, which are continually changing, regarding what has to happen in order to qualify transactions for the lowest cost possible. Virtually no payment gateways support all of them. For example, authorize.net doesn’t support unscheduled credential on file (stored card on file). Reference https://community.developer.authorize.net/t5/Integration-and-Testing/Visa-Stored-Credentials/td-p/60149. The average cost differential for a Mastercard business card is 1% for a transaction with valid authorization vs invalid (but approved).
  2. Customer disputes and chargebacks. A merchant can only defend disputes if they have proper authorization in #1. Instead of wasting time defending disputes, merchants can prevent them with 3-DSecure 2.0, a global cardholder authentication solution. If the payment gateway supports it, “it wasn’t me, I didn’t authorize it” goes away; liability belongs to the issuer.
  3. Rate Qualification. Items 1 and 2 above both reduce the cost of card acceptance. So does supporting level 3 data. It amazes me how many calls I get from consultants and merchant services salesmen that just want to help their customers qualify business and purchasing cards for level 2 rates. Why wouldn’t you want all clients to qualify for level 3 rates, which are substantially lower for business to business transactions?
  4. Stored credential compliance. This is not just securely tokenizing cardholder data, but complying with a new set of rules established in 2017, which all merchants and acquirers are required to comply with. Payment gateways have no such requirement. They can choose to provide the services to clients or not. The trickiest is unscheduled credential on file, which is what most business to business companies need, unless they have a SaaS billing model. Towards the end of 2019, a few more gateways were offering this, but the list is very small.

Few payment gateways support all four items above.

Call Christine Speedy for D365 F&O invoice portal with compliant payment gateway to maximize profits and improve your customer experience. 954-942-0483, 9-5 ET for all your recurring billing and stored credential payment gateway and virtual terminal needs.

Chargeback Reason Code 4837 – prevent and win

What is Mastercard chargeback reason code 4837, no cardholder authorization, and how can you win it? Don’t waste time defending chargebacks, make your company more profitable by preventing them. Combine card acceptance rules compliance with the latest technology to shift fraud liability is the number one method to prevent chargebacks.

What is Mastercard chargeback reason code 4837, no cardholder authorization?

The cardholder did not authorize the transaction.

What are some reasons why this happens when there is an existing relationship with the customer?

  • The card issuer can initiate a chargeback for invalid authorization; for example, a card present authorization was not settled within 24 hours
  • The merchant has a stored card on file, but did not follow proper protocols for storing and using stored cards.

Key Examples To Shifting Fraud Liability

  • Card present, support EMV chip and pin debit
  • Ecommerce, use cardholder authentication with 3D Secure which shifts liability for this type of situation back to the issuer.
  • Phone orders- comply with card not present authorization rules, including settlement time frames

While the steps above may seem simple, most developers, consultants and merchants are unaware of the nuances for authorization compliance. The assumption is that the payment gateway supports all merchant needs, but that is not the case. As rules complexities continue to increase, many payment gateways, regardless of size, have failed to keep up. This creates new risk for merchants who are unaware, and nobody is informing them otherwise.

Want a 3DSecure v2.2.0 compliant payment gateway for your business? Call Christine Speedy, 954-942-0483, 9-5 ET.

Visa to Launch New Certification Program to Support Payment Industry Professional Development

Company will make 500 scholarships available to qualified applicants

Visa Inc. (NYSE: V) today announced plans to launch a new certification program and fund up to 500 scholarships, available to qualified applicants, that can be used toward obtaining this new professional certification. Visa’s new certification program is designed to train individuals as dispute resolution professionals, a role that is currently in high demand across the payments ecosystem.

With 75 percent of HR professionals in the U.S. reporting1 a shortage of skills in candidates for job openings, there is an increased need to better align training to the types of positions that are currently available. Certificate programs offer an alternative to a traditional degree, giving candidates the opportunity to develop the skills and experiences needed for a particular job in a shorter period of time and for less cost. A Georgetown University study2 found that those who hold certificates receive a 20% wage premium over those who do not.

“Private industry has an important role to play in helping equip the workforce with the skills needed for in-demand jobs. We need employers to actively assess workforce needs, promote skills-based recruitment and hiring and commit to workers’ lifelong skills development, which is critical to economic development,” said Visa Chairman and CEO Al Kelly, who serves on the White House American Workforce Policy Advisory Board to advise on ways the public sector, private industry and educational institutions can partner to tackle the ongoing skills crisis. “At Visa, we are working to help strengthen the pipeline of qualified workers. We want to help candidates adapt to a constantly changing environment.”

This certification program builds on Visa’s longstanding commitment to cultivating a ready and able workforce. Visa is one of more than 350 companies and organizations that signed the White House Pledge to America’s workers.

—a promise to expand programs that are designed to educate, train and reskill more than 14.3 million students and workers. Specifically, over the next five years, Visa has pledged to help create enhanced career opportunities for 14,500 individuals, including through increased apprenticeships and work-based learning programs, continuing education, on-the-job training and reskilling.

Visa’s new dispute resolution professional certification program will include multiple days of training and several professional-level certification exams. Dispute resolution professionals manage payment card disputes, and they generally work for financial institutions, such as the bank that issues your credit card, or payment processors.

Training and certification programs of this type can typically cost thousands of dollars, and participants in a program of this nature are often sponsored by an employer. Visa’s scholarship program for dispute resolution professional certification is meant to help support those who may not have the means through their employer. Details for how to apply for the scholarship are anticipated to be made available in early 2020.

“We are proud to offer this new certificate and provide a pathway to employment in the payments industry,” said Karie Willyerd, Visa’s Chief Learning Officer. “This is yet another demonstration of Visa’s commitment to provide today’s workforce with 21st century skills.”

About Visa Inc.

Visa Inc. (NYSE: V) is the world’s leader in digital payments. Our mission is to connect the world through the most innovative, reliable and secure payment network – enabling individuals, businesses and economies to thrive. Our advanced global processing network, VisaNet, provides secure and reliable payments around the world, and is capable of handling more than 65,000 transaction messages a second. The company’s relentless focus on innovation is a catalyst for the rapid growth of digital commerce on any device for everyone, everywhere. As the world moves from analog to digital, Visa is applying our brand, products, people, network and scale to reshape the future of commerce. For more information, visit About Visa, visa.com/blog and @VisaNews.

PSD2 compliant payment gateway

Need a payment gateway that supports Strong Customer Authentication (SCA) requirements for the EU Payment Services Directive (PSD2)? The EU requirements went into effect September 14, 2019 and like many new regulatory and card acceptance rules changes, some payment gateways are ready, some are not, and some may never get updated. This article addresses online payments and ecommerce transactions only.

Do US companies with a US merchant accounts need to comply with PSD2?

Yes. This is hard to decipher when researching, but the key is, yes must comply if a transaction even ‘passes through’ the EU.

  • One leg out (OLO) transactions in any currency (where one of the Payment Service Providers (PSPs) is located inside the EEA and the other PSP is located outside the EEA). For example, a transaction involving US merchant account and an EU card issuer.

How does PSD2 Strong Cardholder Authentication impact US merchants?

  • It’s not required for Ecommerce transactions from EU cardholders to US merchants with US merchant accounts.
  • US merchants may experience increased issuer declines if not using SCA.
  • US merchants will likely experience increased fraud as the pool of web sites shrinks where criminals can commit fraud and get away with it.
  • GDPR regulations for ecommerce transactions from EU cardholders to US merchants with US merchant accounts does apply; choose payment gateways that support both GDPR and 3DS v2.2.0.

Which online payments are exempt from PSD2?

  • Commercial cards where there is no cardholder name, and thus no way to authenticate an individual.
  • Recurring transactions for the same amount- PSD 2 applies for the initial transaction. If the amount changes, PSD 2 applies. PSD 2 applies for Unscheduled Credential On File for each transaction unless cardholder whitelists as per next item.
  • White-lists of trusted beneficiaries- cardholders can notify their issuer to allow payments to go through without SCA after initial transaction.

How can merchants get compliant with PSD2?

Merchants should use a payment gateway that supports 3DS v2.2.0, which supports Strong Customer Authentication or SCA. Visa specifically states in their rules (Table 5-17: Acquirer Support of Visa Secure by Region/Country – Requirements) that acquirers in the EU must process transactions using Visa Secure, which is their version of 3D Secure, a global protocol for securing card not present transactions. Only 3D Secure 2.x, not 1.0, meets the PSD2 requirements, with v2.2.0 being the most current as of this writing. This will get merchants compliant with PSD2.

Which payment gateways support 3DS v2.2.0?

Because the payment gateway may one of multiple components in the checkout process it may not be on a certification list. One popular payment gateway apparently is not being updated- Authorize.net; users are advised to upgrade to Cybersource per the Cybersource web site.

Want a GDPR and 3DS v2.2.0 compliant payment gateway for your business? Contact us for solutions.

Resources:

DISCLAIMER: condensed and incomplete information! Information may be quickly outdated.

Want a GDPR and 3DS v2.2.0 compliant payment gateway for your business? Call Christine Speedy, 954-942-0483, 9-5 ET.